CN105681269A - Privacy preserving set-based biometric authentication - Google Patents

Privacy preserving set-based biometric authentication Download PDF

Info

Publication number
CN105681269A
CN105681269A CN201510648649.9A CN201510648649A CN105681269A CN 105681269 A CN105681269 A CN 105681269A CN 201510648649 A CN201510648649 A CN 201510648649A CN 105681269 A CN105681269 A CN 105681269A
Authority
CN
China
Prior art keywords
registration
data
obfuscation
checking
log
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201510648649.9A
Other languages
Chinese (zh)
Other versions
CN105681269B (en
Inventor
杰斯·哈特洛夫
阿夫拉迪普·曼达尔
阿纳博·罗伊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujitsu Ltd
Original Assignee
Fujitsu Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Ltd filed Critical Fujitsu Ltd
Publication of CN105681269A publication Critical patent/CN105681269A/en
Application granted granted Critical
Publication of CN105681269B publication Critical patent/CN105681269B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/10Human or animal bodies, e.g. vehicle occupants or pedestrians; Body parts, e.g. hands
    • G06V40/12Fingerprints or palmprints
    • G06V40/1347Preprocessing; Feature extraction
    • G06V40/1353Extracting features related to minutiae or pores
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/50Maintenance of biometric data or enrolment thereof
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3026Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters details relating to polynomials generation, e.g. generation of irreducible polynomials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/304Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy based on error correction codes, e.g. McEliece
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3249Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using RSA or related signature schemes, e.g. Rabin scheme
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06VIMAGE OR VIDEO RECOGNITION OR UNDERSTANDING
    • G06V40/00Recognition of biometric, human-related or animal-related patterns in image or video data
    • G06V40/50Maintenance of biometric data or enrolment thereof
    • G06V40/53Measures to keep reference information secret, e.g. cancellable biometrics
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/16Obfuscation or hiding, e.g. involving white box

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Multimedia (AREA)
  • Human Computer Interaction (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Biomedical Technology (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Software Systems (AREA)
  • Algebra (AREA)
  • Pure & Applied Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Collating Specific Patterns (AREA)

Abstract

The invention provides a privacy preserving set-based biometric authentication. A method includes extracting a set of enrollment feature points from an enrollment biometric measurement. The method also includes randomly selecting one or more enrollment code words from an error correction code. The method also includes determining obfuscated enrollment feature point data describing an obfuscated version of the set of feature points that is obfuscated using the one or more enrollment code words. The method also includes determining obfuscated enrollment code word data describing an obfuscated version of the one or more enrollment code words that is obfuscated using a random enrollment polynomial. The method also includes determining an enrollment biometric template including the obfuscated enrollment feature point data and the obfuscated enrollment code word data. The method also includes determining enrollment data including the enrollment biometric template. The enrollment data may be configured to keep the one or more enrollment code words and the random enrollment polynomial secret.

Description

Biometric certification based on secret protection set
Technical field
Embodiment discussed in this article relates to the biometric certification based on secret protection set.
Background technology
Safety can become important for electronic equipment and service. Along with the importance of safety increases, innovationPerson is seeking new or multi-form certification. A kind of certification of form can comprise that biometric recognizesCard. Biometric certification can comprise: via unique biometric characteristic, user's identity is enteredRow is measured and certification. Unique biometric characteristic can comprise user fingerprint, iris, vein andOne or more in DNA etc. Biometric certification can have the following advantages: make it possible toUser is authenticated in the situation of password without remembeing.
Summary of the invention
According to the one side of embodiment, a kind of method comprises: from registration biometric is measured, extractThe set of registration feature point. The method also comprises: from error-correcting code, random selection is one or moreRegistration code word. The method also comprises: determine the registration feature point data of obfuscation, the note of this obfuscationVolume characteristic point data is described and is used one or more registration code words to carry out the set of the characteristic point of obfuscationObfuscation version. The method also comprises: determine the registration code digital data of obfuscation, this obfuscationRegistration code digital data is described the one or more registration codes that use random registration multinomial to carry out obfuscationThe obfuscation version of word. The method also comprises: determine the registration feature point data and the mould that comprise obfuscationThe registration biometric template of the registration code digital data of gelatinization. The method also comprises: determine and comprise registrationThe log-on data of biometric template. Log-on data can be configured to make one or more registration code wordsKeep maintaining secrecy with random registration multinomial.
The object of embodiment and advantage are by least by the key element, the feature that particularly point out in claimRealize and complete with combination.
It being understood that as request protection, describe, in general terms above and detailed description below the twoBe exemplary and explanat and do not limit the present invention.
Brief description of the drawings
Will be by coming more specifically with accompanying drawing and at length example embodiment being described and being saidBright, in the accompanying drawings:
Figure 1A and Figure 1B are the block diagram of example biometric Verification System;
Fig. 1 C is for wherein realizing client modules or authentication module so that the biology based on set to be providedThe block diagram of the exemplary operations environment of CMA;
Fig. 2 is the block diagram of the example system for the biometric certification based on set is provided;
Fig. 3 A and Fig. 3 B are the block diagram of the sample data for user is authenticated;
Fig. 4 illustrates and determines showing for the method for the log-on data of the biometric certification based on setExample flow chart; And
Fig. 5 illustrates the example flow diagram of the method for the private key that is identified for user to authenticate.
Detailed description of the invention
The biometric certification providing based on set is provided embodiment discussed in this article.
In biometric certification, user may not change user's biometric characteristic. For example,User can register the biometric template that comprises biometric data, this biometric dataOne or more unique traits (such as fingerprint, iris patterns etc.) of user have been described. If biologicalAnd if metering template is revealed user and can not be changed the unique trait of being described by biometric template,Biometric certification may become inefficacy for user. For this reason, biometric Verification System needs strongPrivacy ensure.
The system that provides strong privacy to ensure for biological CMA system is provided in existence. Regrettably,These systems all have many shortcomings.
Such system can be called as " relevant hash " (relationalhash). Relevant hashMethod comprises the base so that iris or palm vein are carried out to biometric measurement as the part of systemUnit (primitive). The biometric measurement being included in relevant ashing technique comprises Hamming distance.The method has known its pregnable fragility that makes. Especially, relevant ashing technique is easy especiallyBe subject to Replay Attack. Relevant ashing technique also has can make it for disposing undesirable many restrictions. ExampleAs, relevant ashing technique can not be used for the biometric measurement that comprises that fingerprint is measured. Relevant ashing techniqueDo not use the fault-tolerant common factor for the range measurement of biometric feature yet.
Other method is called as " fuzzy national treasury " (fuzzyvault). The method can be implemented forFingerprint template safety. The method has much known its pregnable fragility that makes. For example, mouldStick with paste national treasury method and can be reproduced attack or many examples attack (multipleinstanceattack) instituteBreak through. The method also has the restriction that comprises large template size, makes it not ideal for disposing.
Other method is for being used biological token (biotoken). But the method comprises that use is proprietaryFingerprint template security system. The proprietary character of the method can make it not ideal for disposing. For example,The basic technology that forms the method may be underground for checking and assessing to confirm that the method keepsThe confidentiality of the biometric data that provides of user.
The shortcoming of these and other system can be by using the biometric certification based on setOvercome. As being described in more detail below with reference to Figure 1A, biometric Verification System can comprise visitorFamily end and certificate server. Client can comprise client modules, and this client modules comprises and being joinedBe set to code and the routine of the function of the client that provides following. Certificate server can comprise certification mouldPiece, this authentication module comprises code and the example of the function that is configured to the certificate server that provides followingJourney. Client can be operated by registered user and authentication of users. Registered user and authentication of users canTo be same person. Certificate server can provide biometric authentication service. Biometric certification clothesBusiness can comprise two processing: (1) location registration process; And (2) checking is processed. Registered user canRegister with biometric authentication service to use location registration process. Subsequently, certificate server can beChecking determines that whether authentication of users is identical with registered user during processing.
Describe below by the registration office providing according to the biometric authentication service of some embodimentsThe example that reason and checking are processed. In Fig. 3 A, describe the figure of the symbol for describing location registration processDescribe. In Fig. 3 B, having described the figure of the symbol for describing checking processing describes. Below with reference toLocation registration process and checking are processed user, client, client modules, the certificate server of describing and recognizeCard module can with below with reference to the described user of Figure 1A to Fig. 5, client, client modules,Certificate server is identical with authentication module.
Client can start location registration process, and in this location registration process, the registered user of client is with recognizingCard server is registered. Client can provide PKI and registration biometric mould to certificate serverPlate. Registration biometric template can comprise the set of characteristic point data and the code of obfuscation of obfuscationThe set of digital data. Registration biometric template can be by " T={ (yii),...,(ynn) " represent,Wherein, symbol " yi" represent the registration feature point data of obfuscation, symbol " γi" expression obfuscationRegistration code digital data and symbol " T " represent to register biometric template. Symbol " yn" canRepresent: can exist any positive integer in the set of the registration feature point data that are included in obfuscation individualThe registration feature point data of obfuscation. Symbol " γn" can represent: can exist and be included in obfuscationThe set of registration code digital data in the registration code digital data of any positive integer obfuscation. At someIn implementation, the set of the registration code digital data of obfuscation can be corresponding to the registration feature of obfuscationThe set of some data. For example, in some implementations, registration biometric template can comprise pinThe registration code word of an obfuscation of the registration feature point to each obfuscation.
The registration feature point data that are included in the obfuscation of registration in biometric template can describe byThe registration feature point of one or more obfuscations of the registration biometric input that registered user providesSet. For example, registered user can provide the input of registration biometric to client. Registration biometerAmount input can comprise measures registered user's biometric. It is raw that client modules can receive registrationThing metering input, determines that the feature of one or more characteristic points of describing the input of registration biometric is countedAccording to, and the characteristic point data of the obfuscation of the obfuscation version of definite Expressive Features point data.
Registration biometric input can comprise that the finger scan, the retina that are associated with registered user sweepRetouch or other biological metering input arbitrarily. The input of registration biometric can be by " B=b1...bn" tableShow, wherein, symbol " b1" represent the registration feature of the First Characteristic of describing registration biometric inputPoint data, symbol " b1...bn" represent to describe be included in registration biometric input arbitrarily justThe set of the registration feature point data of an integer feature, and symbol " B " represents registration biometricInput.
The registration feature point data of obfuscation can be used one or more code words to enter by client modulesRow is determined. Client modules can be selected at random one or more from error-correcting code (" ECC ")Code word. ECC can be linear error correction code plan or other error correction code plans arbitrarily.In some implementations, client modules can be selected a code word for each characteristic point. Code wordThen can be for making to be included in the one or more characteristic point obfuscations in the input of registration biometric.For example, client modules can receive biometric input, determines registration feature point data, from ECCIn random select one or more code words, and use one or more code words with based on one or moreCode word and registration feature point data are determined the characteristic point data of obfuscation.
The characteristic point data of obfuscation can be by " yi=bi⊕ci" represent, wherein, symbol " bi" tableShow the version of the not obfuscation of registration feature point data, symbol " ci" represent one or more random choosingsThe registration code word of selecting, and symbol " yi" represent the registration feature point data of obfuscation. Symbol " ⊕ "Represent XOR function.
Although certificate server can receive the registration feature point data (y that comprises obfuscationi=bi⊕ci)Registration biometric template, but certificate server is based on being included in registration in biometric templateThe registration feature point data of obfuscation be can not determine registration feature point data (bi) the version of not obfuscationThis. For example,, if registration feature point data are carried out to obfuscation by one or more registration code words(bi⊕ci) and select one or more registration code words and make this or many at random from ECCIndividual registration code word keeps maintaining secrecy to certificate server, and certificate server can not be according to the feature of obfuscationPoint data (yi) decode characteristic point data (bi) the version of not obfuscation.
Client modules can make with random registration multinomial the note of one or more random selectionsVolume code word keeps maintaining secrecy. Client modules can be determined random registration multinomial. Random registration multinomialCan be by symbol " ps" represent. Client can be by not providing random registration many to certificate serverThe version of the not obfuscation of item formula makes to register at random multinomial certificate server is kept maintaining secrecy.
Client modules can be based on one or more random selections code word and random multinomial next lifeBecome the registration code digital data of obfuscation. The registration code digital data of obfuscation can be by " γi=ps(ci) " tableShow, wherein, symbol " ps" the random registration of expression multinomial, symbol " ci" represent one or moreThe random registration code word of selecting, and symbol " γi" represent the registration code digital data of obfuscation.
Although certificate server may have been accessed the registration code digital data that comprises obfuscation(γi=ps(ci)) registration biometric template, but because random registration multinomial (ps) be certificationThe ignorant secret of server, so certificate server be can not determine the registration code word that is included in obfuscationRegistration code word (the c of the one or more random selections in datai). With which, make one or manyThe registration code word of individual random selection keeps maintaining secrecy to certificate server. In addition, because make one or moreThe random registration code word of selecting keeps maintaining secrecy to certificate server, so certificate server can not basisCharacteristic point data (the y of obfuscationi=bi⊕ci) determine registration feature point data (bi) not fuzzyThe version of changing. With which, make the registration spy who is associated with registered user's registration biometric inputThe version of levying the not obfuscation of a data keeps maintaining secrecy to certificate server.
Except registration biometric template, client can provide PKI to certificate server. PublicKey can be by client modules based on random registration Polynomial generation. For example, registering at random multinomial canFor the seed of the generation as PKI. PKI can be by " kpu=public(ps) " represent, wherein,Symbol " ps" represent random registration multinomial, and symbol " kpu" expression PKI.
Except registration biometric template and PKI, client can also provide to certificate serverID. ID can comprise registered user's unique identifier, and does not comprise and registered userThe version of not obfuscation of the registration feature point data that are associated of registration biometric input. Certification clothesBusiness device can be associated ID with registration biometric template and PKI. Although registration biometerAmount template, PKI and ID are provided for certificate server, but make one or more random notesVolume code word and random registration multinomial keep maintaining secrecy to certificate server.
Client can be processed by provide checking request to start checking to certificate server. Checking pleaseAsk the ID that can comprise registered user. For example, authentication of users may wish that certification is for registration useFamily, therefore, authentication of users can provide request input to process to start checking to client. In response toReceive the request input from authentication of users, client modules can be examined from the memory of clientRope user identification data (" ID "), generates checking request and provides checking to certificate serverRequest.
In response to receiving checking request, certificate server can provide checking to address inquires to client. TestCard is addressed inquires to and can be comprised registration biometric template and random number. Be included in the data in checking inquiryCan be represented by " (T, r) ", wherein, symbol " T " represents to register biometric template, and symbolNumber " r " represents random number.
Authentication of users can provide checking biometric to input to authenticate them for registration use to clientFamily. As will be described in more detail below, client modules can use according to checking biometricInput determined checking characteristic point data and recover relevant to the PKI generating during location registration processThe private key of connection. Private key can be registered user for authentication verification user by certificate server.
Client modules the checking biometric input being provided by authentication of users can be provided and determineThe checking characteristic point data of one or more characteristic points of checking biometric input is described. Checking is biologicalMetering input can be the registration biometric input class providing during location registration process with registered userLike type. For example,, if registered user provides finger scan raw as registration during location registration processThing metering input, during checking is processed, client modules can require authentication of users to provide fingerprint to sweepRetouch.
The input of checking biometric can be by " B'=b1'...bn' " represent, wherein, " b1' " represent to retouchState the characteristic point data of the First Characteristic of checking biometric input, and symbol " b1'...bn' " tableShow that describing the checking feature that is included in any positive integer feature in checking biometric input countsAccording to set, and " B' " represents checking biometric input.
For the each characteristic point being included in the set of verifying characteristic point data, client modules canDetermine one or more checking code words. In some implementations, client modules can be based on comprisingAt registration biometric template (T={ (yii),...,(ynn)) in the registration feature point of obfuscationData (yi) determine one or more checking code words, wherein, registration biometric template is included inDuring checking is addressed inquires to. For example, client modules can be according to " c'i=decode(yi⊕b'j) " determine oneIndividual or multiple checking code words, wherein, symbol " yi" represent to be included in registration biometric templateThe registration feature point data (y of obfuscationi), symbol " b'j" represent that description is included in checking biometricThe checking characteristic point data of the not obfuscation version of the one or more features in input, and symbol“c'i" the registration feature point data (y of expression based on obfuscationi) and checking characteristic point data (b'j)And definite checking code word. Client modules can add one or more checking code words by symbol toThe candidate collection for decoding that " S " represents.
Client can be applied weighting and process to determine whether to modifying for the candidate collection of decoding.In Fig. 3 B, described graphically the weighting processing that this paragraph is described with reference to key element 345. ClientModule can be based on one or more checking code word (c'i), the registration feature point data (y of obfuscationi)With checking characteristic point data (b'j) determine weight. For example, client modules can basis “wt(c'i⊕yi⊕b'j) " determine weight. Client modules can be by this weight and by user or pipeThe threshold value that reason person provides compares. If weight is less than threshold value, client modules can be according to noteVolume biometric template is determined the registration code digital data (γ of obfuscationi) and by the registration of obfuscationCode word data and one or more checking code word (c'i) as " (c'i,γi) " be added into for decodingCandidate collection (S).
In some implementations, client modules can comprise the candidate collection for decoding according to confessionDetermine the polynomial decoder of checking. For example, client modules can comprise and is configured to provideThe code of Welch-Berlekamp decoder and routine. It is right that client modules can come with decoderCandidate collection for decoding decodes to determine checking multinomial. Checking multinomial can be by institute belowSymbol " the p describings' " represent.
Client modules can use checking multinomial (ps') determine private key. Private key can be by“kpr=private(ps') " represent, wherein, symbol " ps' " represent checking multinomial, and symbol“kpr" expression private key.
Client modules can use private key to sign to the random number receiving in checking. SignedThe random number of name can be by " d=sign (kpr, r) " represent, wherein, symbol " kpr" expression private key,Symbol " r " represents random number, and symbol " d " represents signed random number.
Client modules can provide to address inquires to certificate server and answer. Address inquires to and answer and can be in response toChecking is addressed inquires to. Address inquires to answer and can comprise signed random number. Authentication module can be verified and be used forWhether the private key that random number is signed is corresponding to the PKI receiving during location registration process. IfPrivate key is corresponding to PKI, and authentication module is registered user by authentication of users certification. If private key is not rightShould be in PKI, authentication module is not registered user by authentication of users certification.
Bright as noted earlier, the critical data of the feature of inputting such as user's biometric is worked as clientCan be by obfuscation while being transmitted between end and certificate server. Like this, client and certificate serverBetween communication can not require such as encrypt security. Certificate server can not be accessed registration featureThe not obfuscation version of some data or checking characteristic point data. Like this, copy user's biometer measurementMeasuring required data can not reveal by certified server. For example, because certificate server self may beHostile person, therefore this is useful.
Embodiments of the present invention are described with reference to the accompanying drawings.
Figure 1A for arrange according at least one embodiment as herein described, example registration is providedThe block diagram of the example biometric Verification System 100 of processing. Biometric Verification System 100 can be wrappedDraw together client 102 and certificate server 140. Client 102 can by one or more user 106A,106B (is referred to as " user 106 " or " multiple user 106 "; Be called " user 106A "Or " user 106B ") access. User 106 can comprise the human user of client 102, orThere is the non-human user of biometric characteristic. User 106 can use client 102 to visit to recognizeCard server 140. For example, user 106A can use client 102 to visit by authentication serviceThe biometric authentication service that the authentication module 108 of device 140 provides. User 106 can comprise differencePeople, or at the same person of different time access client 102. As illustrated below,Certificate server 140 can provide biometric authentication service. Biometric authentication service can be forDetermine that user 106 is same person or different people. For example, during location registration process, user106 can be called as " registered user 106 ", and during checking is processed, user 106 can be claimedFor " authentication of users 106 ". Checking is processed can determine that registered user 106 and authentication of users 106 areSame person or different people.
Certificate server 140 can comprise the computing equipment based on processor. For example, certificate server140 can comprise hardware server equipment or be configured to serve as any other base of serverIn the computing equipment of processor.
Certificate server 140 comprises authentication module 108. Authentication module 108 can comprise and being configured toCode and the routine of biometric authentication service are provided. Authentication module 108 can be stored in certification clothesBusiness device 140 or the addressable memory of certificate server 140 or other computer-readable mediumsOn. Authentication module 108 can be carried out by the processor of certificate server 140, described herein to carry outOne or more operations. Below with reference to Figure 1A to Fig. 5, authentication module is described in more detail108。
Client 102 can comprise the computing equipment based on processor. For example, client 102 canComprise mobile phone, smart phone, tablet PC, laptop computer, desktop computer, machineTop box or connection device (for example, intelligent watch, intelligent glasses, intelligent pedometer or arbitrarily itsHis connection device).
Client 102 can comprise client modules 110 and one or more sensor 198. SensingDevice 198 can comprise the hardware device that is coupled to by correspondence client 102. Alternately, passSensor 198 can comprise the parts of client 102. Client modules 110 can comprise and is stored in visitorFamily end 102 or the addressable memory of client 102 or other computer-readable mediums on generationCode and routine. Client modules 110 can be carried out by the processor of client 102, to carry out hereinDescribed one or more operations.
In some embodiments, authentication module 108 is configured to provide the merit of client modules 110Some functions or repertoire in energy. In some embodiments, authentication module 108 or clientEnd module 110 can be used and comprise field programmable gate array (FPGA) or special IC(ASIC) hardware is realized. In some other situation, authentication module 108 or client mouldPiece 110 can be realized with the combination of hardware and software. Thereby, authentication module 108 or clientModule 110 may be implemented as hardware device.
Client 102 can comprise sensor 198. Although described an only sensing in Figure 1ADevice 198, but more generally, client 102 can comprise one or more sensors 198. PassSensor 198 can comprise that the hardware that is configured to one or more biological natures of measuring user 106 establishesStandby. Measurement can comprise biometric measurement. Biometric is measured can describe the unique of user 106Feature. For example, sensor 198 can comprise one or more in following: fingerprint scanner; QuiltBe configured to the camera head of the image of catching iris; Be configured to measure user 106 the establishing of DNAStandby; Be configured to the heart rate monitor of the heart rate of catching user 106; Be configured to catch by userThe wearable electromyography transducer of the electrical activity that 106 skeletal muscle produces; Or be configured to catch withAny other sensors 198 that the biometric that user 106 is associated is measured.
Client modules 110 can comprise and is configured to determine log-on data 189 and confirms data 179Code and routine. Below log-on data 189 and confirmation data 179 are described in more detail.
In some implementations, client modules 110 can comprise and being configured to from sensor 198Receive the code of registering input 193 and determining registration biometric template based on registration input 193And routine. Describe in the above registering determining of biometric template, therefore, will not repeat at thisThis description.
In some implementations, client modules 110 can comprise be configured to determine with registration rawCode and the routine of the PKI that thing metering template is associated. Described in the above to PKI determine, because ofThis, will not repeat this description at this.
The biometric authentication service being provided by authentication module 108 can comprise: (1) location registration process,And (2) checking is processed. Now by according to an embodiment to being provided by authentication module 108The location registration process of biometric authentication service is described. Below will be according to an embodiment, ginsengAccording to Figure 1B, the checking processing being provided by authentication module 108 is described.
With reference to the key element 195 and 193 of Figure 1A, can initiate the biology being provided by authentication module 108The location registration process of CMA service. Registered user 106 can provide 195 registration inputs 193. NoteVolume input can comprise the input of registration biometric. The input of registration biometric can comprise to be used registrationThe biometric at family 106 is measured. Registered user 106 biometric is measured and can be comprised registrationThe measurement of unique feature of user 106. For example, biometric is measured and can be comprised and registered user106 finger scans that are associated, retina scanning or any other biological measurement.
Client 102 can receive 195 registration inputs 193. Client modules 110 can be determined pinTo registered user 106 registration biometric template, PKI and ID. Registration biometric mouldPlate can be carried out really by client modules 110 in the input of the registration based on being provided by registered user 106 193Fixed. Client 102 can provide 191 log-on datas 189 to certificate server 140. Log-on data189 can comprise registration biometric template, PKI and the ID for registered user 106. NoteVolume biometric template can be represented by symbol " T " in the key element of Figure 1A 189. PKI canIn the key element 189 of Figure 1A by symbol " kpu" represent. ID can be in the key element of Figure 1AIn 189, represented by symbol " ID ".
Certificate server 140 can receive 191 log-on datas 189. Authentication module 108 can be by noteVolumes is be stored in the certificate server 140 or addressable memory of certificate server 140 according to 189Or on other computer-readable mediums.
Certificate server 140 can provide 187 confirmation requests 185 to client 102. Confirm requestCan comprise the signature of registration biometric template included in log-on data 189.
Client 102 can receive 187 confirmation requests 185. Client 102 can be to registered user106 present the signature of registering biometric template. Registered user 106 can provide to client 102183 confirm input 181. Confirm that input 181 can comprise the label of confirming in request 185 being included inThe input that name is confirmed. Confirmation input 181 can also comprise, and recognizing of being provided by authentication module 108 is providedCard is served the following input of confirming: certificate server 140 has received registered user 106Legal registration.
Client 102 receives 183 confirmation inputs 181. Client 102 is carried to certificate server 140Confirm data 179 for 180. Confirm that input 181 can comprise being included in confirmation request 185The data that signature is confirmed. Confirming that input 181 can also comprise using is provided by authentication module 108The data that authentication service is confirmed legal registration of the registered user 106.
Certificate server 140 receives 180 confirmation data 179. Authentication module 108 can be based on to reallyRecognize data 179 reception 108, use the authentication service being provided by authentication module 108 determine registration useFamily 106 is legal registrants.
Figure 1B for arrange according at least one embodiment as herein described, example checking is providedThe block diagram of the example biometric Verification System 100 of processing. Client 102, client modules 110,User 106, certificate server 140 and authentication module 108 can with describe about Figure 1A aboveClient 102, client modules 110, user 106, certificate server 140 and authentication module108 is identical, therefore, will not repeat these descriptions at this.
Authentication of users 106 can provide 177 request inputs 175 to client. Request input can be wrappedDraw together and start the instruction that checking is processed.
Client 102 receives 177 request inputs 175. Client 102 is carried to certificate server 140For 173 checking requests 171. Checking request 171 can comprise the described note above with reference to Figure 1AVolumes is according to 189 IDs that comprise.
With reference to Figure 1B, certificate server 140 can receive 173 checking requests 171. Authentication module108 can determine by the ID based on being included in checking request 171: authentication of users 106 pleaseAsk and be authenticated to be registered user 106. Certificate server 140 can provide 169 checking matter to clientAsk 167. Checking address inquires to can comprise the registration biometric template that is associated with registered user 106 andRandom number. Registration biometric template can be by the symbol " T " table in the key element of Figure 1B 167Show, and random number can be represented by the symbol in the key element of Figure 1B 167 " r ". Registration is biologicalThe registration biometer that metering template can comprise with the log-on data 189 of describing above with reference to Figure 1AAmount template is identical.
Except above-mentioned function, client modules 110 can comprise that being configured to definite checking asksAsk 171 and address inquires to and answer 159 code and routine. Be described in more detail below checking request 171 HesAddress inquires to and answer 159.
With reference to Figure 1B, client 102 can receive 169 checkings and address inquires to 167. Client 102 canProvide the input of checking biometric with prompting authentication of users 106 to client 102. Authentication of users 106Can provide 165 answer inputs 163 to client 102. Answer input 163 and can comprise that checking is rawThing metering input. The input of checking biometric can be by the symbol in the key element of Figure 1B 163 " B' "Represent. Client modules 110 can be based in part on the data that are included in the input of checking biometricDetermine private key. Private key can be by the symbol " k in the key element of Figure 1B 159pr" represent. Private key canWith corresponding with the PKI comprising above with reference to the described log-on data 189 of Figure 1A. For example, privateKey and PKI can form key pair.
With reference to Figure 1B, client modules 110 can use private key to sign to random number. VisitorFamily end 102 can provide 161 inquiries to answer 159 to certificate server 140. Addressing inquires to answer 159 canTo comprise signed random number. Signed random number can be by the key element of Figure 1B 159" d=sign (kpr, r) " represent. With reference to key element 159, symbol " kpr" expression private key, symbol " r "Represent random number, and symbol " d " represents signed random number.
Certificate server 140 can receive 161 inquiries and answer 159. Authentication module 108 can be analyzedAddress inquires to and answer to determine that whether private key is corresponding to PKI, thus instruction authentication of users 106 and registered userThe 106th, same person.
Fig. 1 C is for wherein realizing client modules 110 or authentication module 108 to provide based on collectionThe block diagram of the exemplary operations environment 160 of the biometric certification of closing. Shown operating environment 160Comprise client 102, client modules 110, user 106, certificate server 140, authentication module108 and network 107.
Although illustrating, Fig. 1 C is coupled to by correspondence one of client 102 and certificate server 140Individual network 107, but in fact one or more networks 107 can be coupled to these by correspondenceEntity.
Network 107 can comprise traditional network, wired or wireless network, and/or network107 can have the multiple different configurations that comprise star configuration, the ring-like configuration of token or other configurations.In addition, network 107 can comprise LAN (LAN), wide area network (WAN) (for example internet)And/or multiple equipment other internet data paths that can communicate by it. In some cases,Network 107 can comprise peer-to-peer network. Network 107 can also be coupled to or comprise for variousDifferent communication protocol sends a part for the communication network of data. In some cases, network107 comprise bluetooth communication network or the cellular communications networks for transmitting and receive data, comprise viaShort Message Service (SMS), multimedia information service (MMS), HTTP (HTTP),Immediate data connection, WAP and Email (e-mail) etc.
Client 102, client modules 110, user 106, certificate server 140 and certification mouldPiece 108 can with respect to Figure 1A and the described client 102 of Figure 1B, client modules 110,User 106, certificate server 140 are identical with authentication module 108, therefore, will not repeat this at thisA little description. Combine the C with reference to Figure 1A to Fig. 1, client 102 can be via network 107 to certificationServer 140 transmits log-on data 189, confirms data 179, verifies request 171 and address inquires to and answer159. Similarly, certificate server 140 can transmit and confirm to client 102 via network 107Request 185 and checking address inquires to 167.
Fig. 2 for arrange according at least one embodiment as herein described, for providing based on collectionThe block diagram of the example system 200 of the biometric certification of closing. The system 200 of Fig. 2 can be above to joinAccording to the example of the described client 102 of Figure 1A to Fig. 1 C.
System 200 can comprise treatment facility 202, network interface 204 and memory 206. System200 all parts can be coupled to each other by correspondence via bus 220.
Treatment facility 202 can comprise ALU, microprocessor, general purpose controller orOther processor array calculates and provides electronical display signal to display device to carry out a bit. ProcessEquipment 202 process data signal and can comprise various computing architectures, various computing architectures comprise multipleAssorted instruction set computer (CISC) framework, Reduced Instruction Set Computer (RISC) framework or realityShow the framework of the combination of instruction set. Although Fig. 2 comprises single treatment facility 202, can wrapDraw together multiple treatment facilities 202. Other processors, operating system, sensor, display and physics are joinedIt is feasible putting.
Network interface 204 can comprise for system 200 can be carried out with the network of Fig. 1 C 107Communication or the hardware communicating by the network 107 of Fig. 1 C. Network interface 204 can compriseBe configured to the code and the routine that make network interface 204 that its function can be provided.
Memory 206 can be stored instruction and/or the data that can be carried out by treatment facility 202. Refer toOrder and/or data can comprise the code for carrying out technology described herein. Memory 206 can wrapDraw together dynamic random access memory (DRAM) equipment, static RAM (SRAM)Equipment, flash memory or some other memory devices. In some cases, memory 206Also comprise nonvolatile memory or similarly permanent storage appliance and medium, comprise for more permanentBasis on storage information hard disk drive, floppy disk, CD-ROM equipment,DVD-ROM equipment, DVD-RAM equipment, DVD-RW equipment, flash memory device orPerson's some other mass-memory unit.
In described embodiment, memory 206 can be stored client modules 110, registrationData 189, confirmation data 179, checking request 171 and inquiry answer 159. Above with reference to Figure 1ADescribe these parts of system 200 to Fig. 1 C, therefore, will can not repeat these descriptions at this.
Fig. 3 A is the block diagram of the sample data 300 for user 106 is authenticated. Key element 305Comprise registration biometric template. Key element 310 comprises the input of registration biometric, this registration biometerAmount input comprises measures registered user's biometric. Key element 315 comprises the registration feature of obfuscationPoint data. Key element 320 comprises the registration code digital data of obfuscation. Key element 325 comprises based on random noteThe definite PKI of volume multinomial. Key element 302 comprise according to some embodiments by key element 305 to wantThe symbol that element 325 uses and the example description to each symbol.
In some implementations, the client modules 110 of Figure 1A to Fig. 2 comprises and being configured to reallyDetermine one or more codes and the example of the sample data 300 for user 106 is authenticatedJourney.
Fig. 3 B is the block diagram of the sample data 399 for user 106 is authenticated. Key element 330Comprise included data in checking inquiry. Key element 335 comprises the input of checking biometric, this checkingBiometric input comprises measures the biometric of authentication of users. Key element 340 comprises based on being included inRegister the registration feature point data of the obfuscation in biometric template and be included in checking biometricChecking characteristic point data in input and definite checking code word. Checking code word can be included in for decodingCandidate collection in. Key element 345 comprises for determining whether modifying for the candidate collection of decodingWeighting processing. Client modules can decode to determine checking multinomial to candidate collection. WantElement 350 comprises based on the definite private key of checking multinomial. Key element 397 comprises according to some embodimentsThe symbol being used by key element 330 to key element 350 and the example of each symbol is described.
In some implementations, the client modules 110 of Figure 1A to Fig. 2 comprises and being configured to reallyDetermine one or more codes and the example of the sample data 399 for user 106 is authenticatedJourney.
Fig. 4 illustrates, and registration that arrange according at least one embodiment as herein described, definite is biologicalThe example flow diagram of the method 400 of metering template and PKI. In some embodiments, method 400Can be integrally or partly by the biometric Verification System 100 such as Figure 1A and Figure 1B and/Or the system of the system 200 of Fig. 2 is carried out. For example, the treatment facility 202 of Fig. 2 can be programmedBe stored in computer instruction on memory 206 to carry out, to carry out by one of the method 400 of Fig. 4Individual or multiple represented functions and operation. Although be illustrated as discrete piece, can be according to the phaseThe implementation of hoping is divided into each piece other piece, is combined into less piece or by each pieceRemove.
Method 400 can start at piece 402 places. At piece 402 places, can receive registration biometricInput. Biometric input can comprise the biometric measurement being associated with registered user.
At piece 404 places, can determine random registration multinomial. Can choose randomly and equably noteVolume multinomial. Piece 404 can also comprise definite PKI. Can determine based on random registration multinomialPKI. For example, registering at random multinomial can be with acting on the seed that generates PKI.
At piece 406 places, can from be included in the registration biometric measurement biometric input, carryGet the set of characteristic point. The set of characteristic point can be put data by registration feature and be described. Characteristic point canTo be stored in couples. Use characteristic point data are to providing relative to each other but not with respect to definitelyThe identifying information about characteristic point of referential, this identifying information can produce rotational invariance and/orTranslation invariance.
At piece 408 places, can from ECC, select randomly one or more registration code words. OneIn a little implementations, piece 408 can comprise: for the each feature being included in the set of characteristic pointPoint, registration code word of random selection from ECC. Then one or more registration code words can be usedIn by the registration feature point data that form obfuscation, characteristic point data being carried out to obfuscation. Registration codeWord can also provide valuably error correction based on characteristic point data during checking is processed.
At piece 410 places, can build registration biometric template. Registration biometric template can rootAccording to " T=biXORci,ps(ci) " build, wherein, symbol " bi" expression description registration featureThe registration feature point data of the not obfuscation version of some data, symbol " ci" represent to select from ECCThe random code word of selecting, symbol " ps" represent random registration multinomial, and symbol " T " represents noteVolume biometric template. Can for the registration code word use XOR function that each characteristic point is corresponding with itValuably characteristic point data is carried out the privacy of obfuscation and the input of protection biometric.
The registration biometric template of piece 410 also provides by one or more registration code words and has protectedHold the polynomial obfuscation version of secret random registration. With which, if known enough registrationsCode word, can determine random registration multinomial. With which, registration biometric template also comprisesThere is the template point of the polynomial secret sharing of random registration.
At piece 412 places, can export registration biometric template and PKI. Biometric template and public affairsKey can be included in the note for registered user is registered in the certificate server based on setIn volumes certificate. Log-on data can also comprise registered user's ID. Log-on data can be viaUnsafe communication transmits, and this is because be included in biometric data in log-on data by mouldGelatinization and can not known one or more registration code words or register at random a polynomial side and send outExisting. Because in neither one or multiple registration code word or register at random log-on data in polynomial situationBiometric data be not findable, can openly visit so log-on data can be stored in its dataOn the server of asking. For example, log-on data can be stored in based on biometrics and realize PKI baseOn the public server of Infrastructure (PKI) scheme.
In some implementations, can carry out manner of execution 400 by the treatment facility of system 200 202One or more steps. Treatment facility 202 can be programmed with one of manner of execution 400 or manyIndividual step.
Fig. 5 illustrate arrange according at least one embodiment as herein described, be identified for testingThe example flow diagram of the method 500 of the private key that card user authenticates.
Method 500 can start at piece 502 places. At piece 502 places, can receive registration biometricTemplate. Piece 502 can comprise: input from authentication of users Receipt Validation biometric.
At piece 504 places, can be from checking biometric input the set of extract minutiae. At piece506 places, can determine obfuscation for each characteristic point of extracting from the input of checking biometricCharacteristic point data. Can pass through based on " yj=(bj'XORbiXORci) " feature to obfuscationPoint decoding data is determined the characteristic point data of obfuscation. Item " (bj'XORbi) " can determineDifference between these two template points. If the mistake that this difference is used at registered user's period of registrationIn the error correction capability of mistake correcting code, " yj" will be decoded into " ci", make authentication of users quiltCertification is registered user. But, if template point " bj' " and " bi" between difference be greater than mistakeThe error correction capability of correcting code, " yj" will be decoded into incorrect code word, checking is usedFamily is not authenticated to be registered user.
At piece 508 places, can determine that weight is to create the candidate collection for decoding. Symbol " (yjXORci') " can comprise error vector. Can determine the weight of each error vector and it is dividedAnalyse to determine which template point is to being the correct coupling for registration biometric template.
Determine that at piece 510 places weight is lower than threshold value, this instruction template point to be for register biometricThe correct coupling of template.
At piece 512 places, recover checking multinomial. Can use and be included in client modulesWelch-Berlekamp decoder recovers to verify multinomial. And if only if piece 506 places recoverThe number that the number of correct verification code word deducts incorrect checking code word is greater than random registration multinomialExponent number time, Welch-Berlekamp decoder can return and equal to register at random polynomial checkingMultinomial.
At piece 514 places, can determine or export private key. Can be based in the definite checking in piece 512 placesMultinomial is determined private key.
In some implementations, can carry out manner of execution 500 by the treatment facility of system 200 202One or more steps. Treatment facility 202 can be programmed with one of manner of execution 500 or manyIndividual step.
As discussed in more detail below, embodiment described herein can comprise that use comprises various metersThe special-purpose computer of calculation machine hardware or software module or all-purpose computer.
Embodiment described herein can use be used for carrying or its on store computer and can carry out and refer toThe computer-readable medium of order or data structure is realized. Such computer-readable medium can beAny usable medium that can be conducted interviews by universal or special computer. As non-limiting example,Such computer-readable medium can comprise non-transient state computer-readable recording medium, comprising: randomAccess memory (RAM); Read-only storage (ROM); EEPROM(EEPROM); Compact disc read-only memory (CD-ROM) or other optical disk storage apparatus; DiskStorage device or other magnetic storage apparatus; Flash memory device (for example solid-state memory device);Or can be for carrying or store the expectation journey of form of computer executable instructions or data structureOrder code and any other storage mediums that can be conducted interviews by universal or special computer. Above-mentionedCombination also can be included in the scope of computer-readable medium.
Computer executable instructions comprises and for example makes all-purpose computer, special-purpose computer or dedicated processesEquipment (for example one or more processors) is carried out the instruction and data of certain function or certain group function.Although used specific to the language description of architectural feature and/or deemed-to-satisfy4 action theme,Understand, be not necessarily limited to specific feature mentioned above at theme defined in the appended claimsOr action. On the contrary, specific feature mentioned above or action are disclosed as and realize showing of claimExample form.
As used herein, term " module " or " parts " can refer to and be configured to carry outThe specific hardware realization of the operation of module or parts and/or software object or software routines, this software pairResemble or software routines can be stored in computing system common hardware (for example computer-readable medium, locateReason equipment etc.) go up and/or carried out by the common hardware of computing system. In some embodiments,Different parts as herein described, module, engine and service may be implemented as on computing system holdsObject or the processing (for example,, as independent thread) of row. Although system and method as herein describedIn some system and methods be usually described as with software (be stored on common hardware and/or byCommon hardware is carried out) realize, but specific hardware implementation or software and specific hardware realizeThe combination of mode is also feasible and can anticipate. In this manual, " computational entity " canAny computing system or the operational blocks which partition system of moving on computing system or the mould previously having defined hereinThe combination of piece.
All examples described in this paper and conditional language are that object for teaching is to assist readerUnderstand the present invention and contributed by inventor for advancing the concept of prior art, and should be byBe interpreted as being not limited to example and the condition of so concrete elaboration. Although described the present invention in detailEmbodiment, but it should be understood that can be in feelings without departing from the spirit and scope of the present inventionUnder condition, embodiments of the present invention are carried out to various changes, replacement and change.

Claims (20)

1. a method, comprising:
The set of extracting registration feature point from registration biometric is measured;
The one or more registration code words of random selection from error-correcting code;
Determine the registration feature point data of obfuscation, the registration feature point data description institute of described obfuscationState the obfuscation version of the set of characteristic point, the obfuscation version of the set of described characteristic point is to use instituteState one or more registration code words and carry out obfuscation, making not having described one or more registrationIn the situation of code word, can not determine described characteristic point according to the registration feature point data of described obfuscationSet;
Determine the registration code digital data of obfuscation, the registration code digital data of described obfuscation describes described oneThe obfuscation version of individual or multiple registration code words, the obfuscation version of described one or more registration code wordsTo use random registration multinomial to carry out obfuscation, to make not having described random registration multinomialSituation under can not determine described one or more code word according to the registration code digital data of described obfuscation;
Determine and comprise the registration feature point data of described obfuscation and the registration code number of words of described obfuscationAccording to registration biometric template; And
Use computing equipment based on processor to determine and make described one or more registration code word and instituteState random registration multinomial and keep secret log-on data, the described computing equipment based on processor is compiledJourney is described definite to carry out, and described log-on data comprises described registration biometric template.
2. method according to claim 1, also comprises: based on described random registration multinomialGenerate PKI, wherein, described log-on data comprises described PKI, and described PKI make described withThe gelatinization of machine registration polynomial module.
3. method according to claim 1, wherein, is sent to service by described log-on dataDevice, described server can be conducted interviews by third party described log-on data.
4. method according to claim 3, wherein, described server is based on biometricsRealize PKIX PKI scheme.
5. method according to claim 1, wherein, transmits described note via non-security communicationVolumes certificate.
6. method according to claim 1, wherein, described log-on data and registered user's phaseAssociation, and described log-on data is determined by the client being associated with described registered user.
7. method according to claim 2, also comprises:
In response to receiving the checking inquiry that comprises described log-on data and random number, from verifying biologyThe set of extracting checking characteristic point in measurement, wherein, described log-on data is relevant to registered userConnection, and described checking biometric is measured and the authentication attempt authentication of users phase that is described registered userAssociated;
Analyze described log-on data to determine the described registration biometric that is included in described log-on dataThe registration feature point data of the described obfuscation in template; And
The registration feature point data of the set based on described checking characteristic point and described obfuscation are determinedOne or more checking code words.
8. method according to claim 7, also comprises:
Analyze described log-on data to determine the described PKI being included in described log-on data; And
Determine checking multinomial based on described one or more checking code words.
9. method according to claim 8, also comprises:
Determine private key based on described checking multinomial; And
By described random number being signed and is determined inquiry answer with described private key, wherein, baseIn described private key whether corresponding to described PKI to form key pair, described authentication of users is authenticated to be instituteState registered user.
10. a non-transient state computer-readable medium, stores on described non-transient state computer-readable mediumHave computer instruction, described computer instruction can be carried out with executable operations or control by treatment facilityThe execution of system operation, described operation comprises:
Determine random registration multinomial;
The set of extracting registration feature point from registration biometric is measured;
The one or more registration code words of random selection from linear error-correcting code;
Determine the registration feature point data of obfuscation, the registration feature point data description institute of described obfuscationState the obfuscation version of the set of characteristic point, the obfuscation version of the set of described characteristic point is to use instituteState one or more registration code words and carry out obfuscation, making not having described one or more registrationIn the situation of code word, can not determine described characteristic point according to the registration feature point data of described obfuscationSet;
Determine the registration code digital data of obfuscation, the registration code digital data of described obfuscation describes described oneThe obfuscation version of individual or multiple registration code words, the obfuscation version of described one or more registration code wordsTo use described random registration multinomial to carry out obfuscation, to make not having described random registration manyIn the situation of item formula, can not determine described one or more according to the registration code digital data of described obfuscationCode word;
Determine and comprise the registration feature point data of described obfuscation and the registration code number of words of described obfuscationAccording to registration biometric template;
Generate PKI based on described random registration multinomial, wherein, described PKI makes described random noteThe gelatinization of volume polynomial module; And
Determine described one or more registration code word and described random registration multinomial maintenance are maintained secrecyLog-on data, described log-on data comprises described registration biometric template and described PKI.
11. non-transient state computer-readable mediums according to claim 10, wherein, described noteVolumes is according to being transferred into server, and described server can be carried out by third party described log-on dataAccess.
12. non-transient state computer-readable mediums according to claim 10, wherein, described noteVolumes is according to transmitting via unencrypted communication.
13. non-transient state computer-readable mediums according to claim 10, wherein, described noteVolumes is according to being associated with registered user, and described log-on data is by being associated with described registered userClient is determined.
14. non-transient state computer-readable mediums according to claim 10, wherein, described behaviourAlso comprise:
In response to receiving the checking inquiry that comprises described log-on data and random number, from verifying biologyThe set of extracting checking characteristic point in measurement, wherein, described log-on data is relevant to registered userConnection, and described checking biometric is measured and the authentication attempt authentication of users phase that is described registered userAssociated;
Analyze described log-on data to determine the described registration biometric that is included in described log-on dataThe registration feature point data of the described obfuscation in template;
The registration feature point data of the set based on described checking characteristic point and described obfuscation are determinedOne or more checking code words;
Analyze described log-on data to determine the described PKI being included in described log-on data; And
Determine checking multinomial based on described one or more checking code words.
15. non-transient state computer-readable mediums according to claim 14, wherein, described behaviourAlso comprise:
Determine private key based on described checking multinomial; And
By described random number being signed and is determined inquiry answer with described private key, wherein, baseIn described private key whether corresponding to described PKI to form key pair, described authentication of users is authenticated to be instituteState registered user.
16. non-transient state computer-readable mediums according to claim 15, wherein, described behaviourDo to be performed at the client-side of network.
17. non-transient state computer-readable mediums according to claim 15, wherein, described behaviourDo to bring in execution by the client who is associated with described registered user, make by relevant to described registered userThe described client of connection brings in to carry out described authentication of users is authenticated as described registered user.
18. 1 kinds of methods, comprising:
In response to receiving the checking inquiry that comprises log-on data and random number, from checking biometricThe set of extracting checking characteristic point in measurement, wherein, described log-on data is associated with registered user,And the authentication of users that it is described registered user to authentication attempt that described checking biometric is measured is relevantConnection;
Analyze described log-on data to determine the described registration biometric that is included in described log-on dataThe registration feature point data of the obfuscation in template, wherein, the registration feature point data of described obfuscationThe collection of the characteristic point of extracting from the registration biometric template being associated with described registered user is describedThe obfuscation version closing;
The registration feature point data of the set based on described checking characteristic point and described obfuscation are determinedOne or more checking code words;
Analyze described log-on data to determine the PKI being included in described log-on data; And
Determine checking multinomial based on described one or more checking code words.
19. methods according to claim 18, also comprise:
Determine private key based on described checking multinomial; And
By described random number being signed and is determined inquiry answer with described private key, wherein, baseIn described private key whether corresponding to described PKI to form key pair, described authentication of users is authenticated to be instituteState registered user.
20. methods according to claim 18, wherein, described log-on data comprises that registration is rawThing metering template, and described registration biometric template comprises the registration code digital data of obfuscation, instituteThe registration code digital data of stating obfuscation is described the obfuscation version of one or more registration code words, wherein,The registration code digital data of described obfuscation is for making to be included in the registration feature point data of described obfuscationIn the set obfuscation of described characteristic point, to make not having described one or more registration code wordsIn the situation of obfuscation version, not can not determine the set of described characteristic point.
CN201510648649.9A 2014-12-04 2015-10-09 Biometric authentication method and computer-readable medium based on secret protection set Active CN105681269B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/560,435 US9967101B2 (en) 2014-12-04 2014-12-04 Privacy preserving set-based biometric authentication
US14/560,435 2014-12-04

Publications (2)

Publication Number Publication Date
CN105681269A true CN105681269A (en) 2016-06-15
CN105681269B CN105681269B (en) 2019-05-14

Family

ID=53835315

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510648649.9A Active CN105681269B (en) 2014-12-04 2015-10-09 Biometric authentication method and computer-readable medium based on secret protection set

Country Status (4)

Country Link
US (1) US9967101B2 (en)
EP (1) EP3043290B1 (en)
JP (1) JP6555073B2 (en)
CN (1) CN105681269B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322480A (en) * 2018-03-19 2018-07-24 武汉康慧然信息技术咨询有限公司 Information authentication method in smart home
CN110489960A (en) * 2018-05-14 2019-11-22 通用汽车环球科技运作有限责任公司 Authentication method and system

Families Citing this family (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10608823B2 (en) 2016-06-24 2020-03-31 Fujitsu Limited Cryptographic primitive for user authentication
FR3054905B1 (en) * 2016-08-04 2019-10-18 Safran Identity & Security KEY GENERATION METHOD AND ACCESS CONTROL METHOD
CN106341227B (en) * 2016-10-27 2019-08-09 北京瑞卓喜投科技发展有限公司 The method, apparatus and system of resetting protection password based on server decryption ciphertext
US10255416B2 (en) 2017-01-25 2019-04-09 Ca, Inc. Secure biometric authentication with client-side feature extraction
WO2018156068A1 (en) * 2017-02-22 2018-08-30 Fingerprint Cards Ab Biometrics-based remote login
US11431504B2 (en) * 2017-03-24 2022-08-30 Visa International Service Association Authentication system using secure multi-party computation
DE102017106855A1 (en) * 2017-03-30 2018-10-04 Bundesrepublik Deutschland, Vertreten Durch Das Bundesministerium Des Innern, Vertreten Durch Das Bundesamt Für Sicherheit In Der Informationstechnik Biometrics-based object binding
US11095639B2 (en) * 2017-05-11 2021-08-17 Synergex Group Methods, systems, and media for authenticating users using biometric signatures
US11115215B2 (en) 2017-07-27 2021-09-07 Fingerprint Cards Ab Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
EP3682357B1 (en) * 2017-09-13 2022-03-09 Fingerprint Cards Anacatum IP AB Methods and devices of enabling authentication of a user of a client device over a secure communication channel based on biometric data
US10305690B1 (en) * 2017-11-29 2019-05-28 Fingerprint Cards Ab Two-step central matching
US11170084B2 (en) 2018-06-28 2021-11-09 Private Identity Llc Biometric authentication
US11789699B2 (en) 2018-03-07 2023-10-17 Private Identity Llc Systems and methods for private authentication with helper networks
US10721070B2 (en) 2018-03-07 2020-07-21 Private Identity Llc Systems and methods for privacy-enabled biometric processing
US11210375B2 (en) 2018-03-07 2021-12-28 Private Identity Llc Systems and methods for biometric processing with liveness
US11394552B2 (en) 2018-03-07 2022-07-19 Private Identity Llc Systems and methods for privacy-enabled biometric processing
US10938852B1 (en) 2020-08-14 2021-03-02 Private Identity Llc Systems and methods for private authentication with helper networks
US11502841B2 (en) 2018-03-07 2022-11-15 Private Identity Llc Systems and methods for privacy-enabled biometric processing
US11138333B2 (en) * 2018-03-07 2021-10-05 Private Identity Llc Systems and methods for privacy-enabled biometric processing
US11392802B2 (en) 2018-03-07 2022-07-19 Private Identity Llc Systems and methods for privacy-enabled biometric processing
US11489866B2 (en) 2018-03-07 2022-11-01 Private Identity Llc Systems and methods for private authentication with helper networks
US11265168B2 (en) 2018-03-07 2022-03-01 Private Identity Llc Systems and methods for privacy-enabled biometric processing
GB201804818D0 (en) * 2018-03-26 2018-05-09 Data Signals Ltd Method and apparatus for data obfuscation
US20190327092A1 (en) 2018-04-23 2019-10-24 Avago Technologies General Ip (Singapore) Pte. Ltd. Methods and systems for secure biometric authentication
WO2020049565A1 (en) 2018-09-05 2020-03-12 De-Identification Ltd. System and method for performing identity authentication based on de-identified data
US11042620B2 (en) * 2019-03-05 2021-06-22 King Abdulaziz University Securing electronic documents with fingerprint/biometric data
CN114826778B (en) * 2022-06-21 2022-09-27 杭州安恒信息技术股份有限公司 Authentication method, device, equipment and medium
US11811752B1 (en) * 2022-08-03 2023-11-07 1080 Network, Inc. Systems, methods, and computing platforms for executing credential-less network-based communication exchanges

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1965279A (en) * 2004-06-09 2007-05-16 皇家飞利浦电子股份有限公司 Architectures for privacy protection of biometric templates
US20090060188A1 (en) * 2007-08-31 2009-03-05 Mcgrew David Determining security states using binary output sequences
CN102394896A (en) * 2011-12-13 2012-03-28 甘肃农业大学 Privacy-protection fingerprint authentication method and system based on token
CN104185847A (en) * 2012-09-28 2014-12-03 英特尔公司 Multi-factor authentication using biometric data

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7003670B2 (en) * 2001-06-08 2006-02-21 Musicrypt, Inc. Biometric rights management system
US20050206501A1 (en) * 2004-03-16 2005-09-22 Michael Farhat Labor management system and method using a biometric sensing device
US8452969B2 (en) * 2009-09-16 2013-05-28 GM Global Technology Operations LLC Flexible broadcast authentication in resource-constrained systems: providing a tradeoff between communication and computational overheads
JP5859953B2 (en) * 2010-09-30 2016-02-16 パナソニック株式会社 Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1965279A (en) * 2004-06-09 2007-05-16 皇家飞利浦电子股份有限公司 Architectures for privacy protection of biometric templates
US20090060188A1 (en) * 2007-08-31 2009-03-05 Mcgrew David Determining security states using binary output sequences
CN102394896A (en) * 2011-12-13 2012-03-28 甘肃农业大学 Privacy-protection fingerprint authentication method and system based on token
CN104185847A (en) * 2012-09-28 2014-12-03 英特尔公司 Multi-factor authentication using biometric data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
CHRISTIAN RATHGEB: "A survey on biometric cryptosystems and cancelable biometrics", 《EURASIP JOURNAL ON INFORMATION SECURITY》 *
DANIEL AUGOT: "A public key encryption scheme based on the polynomial reconstruction problem", 《SPRINGER INTERNATIONAL PUBLISHING》 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108322480A (en) * 2018-03-19 2018-07-24 武汉康慧然信息技术咨询有限公司 Information authentication method in smart home
CN108322480B (en) * 2018-03-19 2020-11-20 王锐 Information authentication method in smart home
CN110489960A (en) * 2018-05-14 2019-11-22 通用汽车环球科技运作有限责任公司 Authentication method and system
CN110489960B (en) * 2018-05-14 2023-08-15 通用汽车环球科技运作有限责任公司 Authentication method and system

Also Published As

Publication number Publication date
EP3043290A1 (en) 2016-07-13
JP6555073B2 (en) 2019-08-07
US20160164682A1 (en) 2016-06-09
JP2016111687A (en) 2016-06-20
EP3043290B1 (en) 2020-05-27
CN105681269B (en) 2019-05-14
US9967101B2 (en) 2018-05-08

Similar Documents

Publication Publication Date Title
CN105681269A (en) Privacy preserving set-based biometric authentication
US11343099B2 (en) System and method for securing personal information via biometric public key
US20220318355A1 (en) Remote usage of locally stored biometric authentication data
CN107079034B (en) Identity authentication method, terminal equipment, authentication server and electronic equipment
ES2818199T3 (en) Security verification method based on a biometric characteristic, a client terminal and a server
JP7421766B2 (en) Public key/private key biometric authentication system
KR101666374B1 (en) Method, apparatus and computer program for issuing user certificate and verifying user
KR102408761B1 (en) System and method for implementing a one-time-password using asymmetric cryptography
JP6852592B2 (en) Cryptographic primitives for user authentication
US10454913B2 (en) Device authentication agent
US20210234857A1 (en) Authentication system, authentication method, and application providing method
US20130262873A1 (en) Method and system for authenticating remote users
WO2012042775A1 (en) Biometric authentication system, communication terminal device, biometric authentication device, and biometric authentication method
CN111886828B (en) Online authentication based on consensus
US9124571B1 (en) Network authentication method for secure user identity verification
Jung et al. An improved and secure anonymous biometric-based user authentication with key agreement scheme for the integrated epr information system
US9882719B2 (en) Methods and systems for multi-factor authentication
CN108141363A (en) For the device of certification, method and computer program product
CN105164689A (en) User authentication
CN116318617B (en) Medical rescue material charity donation method based on RFID and blockchain
JP2022524288A (en) Biometric public key system that provides revoked certificates
SE540649C2 (en) Method and system for secure password storage
WO2021226471A1 (en) Computer-implemented user identity verification method
US11706032B2 (en) Method and apparatus for user authentication
Vorugunti et al. Improving security of lightweight authentication technique for heterogeneous wireless sensor networks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant